JP4381317B2 - Content reproduction apparatus, content reproduction method, and program - Google Patents

Description

  The present invention relates to a content playback apparatus that plays back and executes content data including video / audio information and a program recorded on a recording medium such as an optical disk, and more particularly to a content playback apparatus connected to a server via a network.

  In recent years, an optical disc reproducing apparatus for reproducing an optical disc on which data such as video and audio such as a DVD and a video CD is recorded has been developed. These devices are widely used for viewing movie software and the like.

  DVD is a standard related to a disc for reproducing video / audio information recorded on an information recording medium, and was issued in 1996 by the DVD Forum as “DVD Specifications for Read-Only Disc Part 3: VIDEO SPECIFICATIONS”. This standard supports the MPEG2 system as a moving picture compression system and the MPEG audio compression system and the AC-3 audio compression system as audio compression systems. Further, sub-picture data which is bitmap data used for movie subtitles, and control data (navigation pack) such as fast-forward playback and fast-rewind playback are defined.

  On the other hand, video information devices having a network connection function have been developed with the recent spread of the Internet. For example, in a video information apparatus having a function of receiving and recording a television broadcast, a function of receiving data of an electronic program guide from a server connected via a network and recording based on the contents has been developed.

  As a conventional technique related to the video information apparatus having the network connection function, Patent Document 1 discloses an image display apparatus that provides a service in which a DVD video title and an HTML file provided on the Internet are merged. In this image display device, it is possible to connect to the Internet based on the URL extracted from the navigation pack and display HTML content in conjunction with the scene being reproduced.

  Further, in Patent Document 2, not only simply displaying HTML content, but also reproducing an image with high expressive ability using extended information acquired from a server connected via a communication line, and an unspecified number of people In order to prevent connection to an optical disc, an optical disc apparatus is disclosed in which authentication processing is performed by sending data on an optical disc to a server.

However, Patent Document 1 does not discuss a security problem caused by acquiring content via a network, and Patent Document 2 performs an authentication process to restrict optical disk devices that can be connected to a server. However, the optical disk apparatus can reproduce the DDoS (DDoS () by playing the problem related to the danger of acquiring dangerous content created maliciously from the connected server or the dangerous content created maliciously. (Distributed Denial of Service) The problem regarding the risk of becoming a stepping stone for attacks is not taken into consideration, and the examination on security is insufficient.
Japanese Patent Laid-Open No. 11-161663 JP 2004-79055 A

  As described above, in a conventional video information apparatus having a network connection function, in order to restrict video information apparatuses that can be connected to a server, the authenticity of the disk is only guaranteed by performing disk authentication. . Accordingly, the video information device may cause a DDoS attack or the like by playing a problem related to the risk of acquiring malicious content created maliciously from a connection destination server, or playing dangerous content created maliciously. There was a problem that it was not possible to connect to the network with peace of mind, because the problem related to the danger of becoming a stepping stone for the network was not taken into consideration.

  Therefore, in view of the above problems, the present invention avoids execution / reproduction of a disc on which falsified content data is recorded, and limits servers connected during reproduction / execution of content data and programs recorded on the disc. It is an object of the present invention to provide an apparatus and method for reproducing content.

  A content playback apparatus that stores content data including video / audio data and a program, and plays back and executes the content data from a recording medium that stores an identifier indicating a server to which access is permitted on a network, includes: (a) the recording medium (B) storing the read identifier in the storage means, and (c) the server on the network included in the program during the reproduction and execution of the content data. When a connection request to an identifier is detected, it is verified whether or not the detected identifier matches the identifier stored in the storage means, and (d) corresponds to the identifier stored in the storage means (E) a server corresponding to the identifier stored in the storage means, on the recording medium In order to verify the validity of the recording medium using the data read from the storage area, communication is performed with the server, and (f) the server identifier included in the program and stored in the storage means When the validity of the server corresponding to the identifier stored in the storage means and the validity of the recording medium are verified, the connection request is received and stored in the storage means. By connecting to the server corresponding to the identifier, execution / reproduction of the recording medium storing the altered content data is avoided, and a server connected during reproduction / execution of the content data or program stored in the recording medium is provided. It can be limited.

  It is possible to avoid execution / reproduction of the recording medium storing the altered content data, and to limit servers connected during reproduction / execution of the content data or program stored in the recording medium.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 shows an example of the configuration of a content reproduction apparatus for reproducing content data recorded on a recording medium according to an embodiment of the present invention. Here, a case where the recording medium is a disk such as an optical disk will be described as an example, and a content reproduction apparatus that reproduces content data recorded on the disk will be described.

  Content data including video / audio data and an executable program (script) describing a series of processing procedures using a language such as XML (Extensible Markup Language) is recorded on the disc. The content reproduction apparatus has a function for reproducing video / audio data recorded on the disk, a function for executing a program, and a function for connecting to a predetermined network such as the Internet by inserting the disk on which the content data is recorded. . The program recorded on the disc includes a program including an identifier (for example, a domain name) of a connection destination server and processing for connecting the content reproduction apparatus to the server. The data stored in the program stored on the disc, the data or program used when playing back the video / audio data, etc., if the disc is legitimate (the server corresponding to the identifier included in the program) For example, this server is a server corresponding to an identifier stored in a specific area of the disk).

  In the present embodiment, content data recorded on a legitimate disc provided by a distributor (distributor) which records and sells content data on a recording medium (for example, a disc) For each title), one server is provided on the network. In other words, the type of content data recorded on a legitimate disc is associated with the server on a one-to-one basis. The server identifier (for example, the domain name here) corresponding to the content data recorded on the disc is recorded in a predetermined specific area of the disc.

  There may be one or more servers corresponding to the type of content data. In the latter case, a plurality of server identifiers are recorded in a specific area of the disk.

  If the content data (including the program) on the disc has not been tampered with, and the server stored in the specific area of the disc is valid, the data on the legitimate (not tampered) disc The identifier of the server stored in the specific area is a predetermined server corresponding to the content data on the disc, and the identifier of the connection destination server included in the program on the disc is the specific area of the disc. Is equal to the identifier stored in (if a plurality of identifiers are stored, any one of them).

<Configuration>
As shown in FIG. 1, the content playback apparatus includes a disk control unit 1, a network access control unit 2, a playback / execution control unit 3, a communication unit 4, and a storage control unit 5.

  The disk control unit 1 detects that a disk has been inserted, and reads information recorded on the disk. The reproduction / execution control unit 3 reproduces / executes the video / audio data and program read by the disk control unit 1. The communication unit 4 is for communicating with a server via a network.

  The network access control unit 2 performs control for accessing the server 101 corresponding to the disc currently reproduced by the reproduction / execution control unit 3 (content data recorded on the disc) and server authentication (described later). ) And disk authentication (described later). The network access control unit 2 includes a connection destination management unit 21, a connection destination verification unit 22, a server authentication unit 23, and a disk authentication unit 24.

  The storage control unit 5 performs control for storing data (including video / audio data, programs, and the like) acquired from a disk or a network (server 101) inserted in the content reproduction device in a predetermined storage device 6. Do.

  Hereinafter, the processing operation of the content reproduction apparatus of FIG. 1 will be described.

<Server authentication and disk authentication>
In the present embodiment, the type of content data recorded on a legitimate disc is associated with the server on a one-to-one basis. The domain name of the server corresponding to the content data recorded on the disc is recorded in a predetermined specific area of the disc.

  In order to limit the servers that can be accessed when the content playback device is playing a disc to only the servers corresponding to the domain names stored in the specific area of the disc, the content playback device before accessing the server. In order to verify whether or not the server is a valid server corresponding to the domain name stored in the specific area on the disk, server authentication is performed.

  Also, when content data recorded on the disc (particularly a program included in the content data) has been tampered with, the content playback device is prevented from executing the tampered program and accessing an unauthorized server. In order to do so, the content reproduction apparatus performs disk authentication for verifying the validity of the disk after performing the server authentication.

  The server authentication and the disc authentication are performed when the disc is inserted into the content reproduction device or after the disc is inserted into the content reproduction device (for example, by executing a program recorded on the disc). This is performed when an access request to (network) occurs first.

  (1) A case where server authentication and disc authentication are performed when a disc is inserted into the content reproduction apparatus will be described with reference to the flowcharts shown in FIGS.

(1-1) Server Authentication As shown in FIG. 2, when a disc is inserted into the content reproduction apparatus 100 (step S1), the disc detection unit 11 detects the insertion of the disc (step S2). In response to this, the disk reading unit 12 reads the domain name of the connection destination from a predetermined specific area on the disk (step S3). The read domain name is notified to the connection destination management unit 21 of the network access control unit 2. The connection destination management unit 21 records the notified domain name in a connection destination management table as shown in FIG. 18 stored in the memory in the connection destination management unit 21 (step S4). Note that if data indicating that the domain name is empty (for example, “0”) is stored in the specific area on the disk, server authentication is not performed. When a connection request to the network occurs, access to the network is not performed.

  The connection destination management unit 21 stores the domain name in the connection destination management table only while the disc is inserted into the content reproduction apparatus 100. For this reason, when the disk detection unit 11 detects removal of the disk, the connection destination management unit 21 deletes the domain name stored in step S4 from the connection destination management table shown in FIG.

  In step S4, when the domain name read from the specific area of the disk is stored in the connection destination management table, the server authentication unit 23 starts authentication processing of the server corresponding to the domain name. In this case, first, the communication unit 4 acquires an IP address corresponding to the domain name from a predetermined DNS (Domain name system) server (step S5). The server authentication unit 23 uses this acquired IP address to access the network, and performs an authentication process for acquiring a server certificate corresponding to the domain name (step S6).

  As a method for authenticating a server via a network, for example, SSL (Secure Socket Layer) / TLS (Transport layer security) widely used in the WWW (World Wide web) on the Internet or the like is used. SSL / TLS is an authentication method based on a public key encryption method, and a client receives a server certificate authenticated by a certificate authority called a root certificate authority and confirms its contents to guarantee the validity of the server. It is a method. Furthermore, in SSL / TLS, a processing procedure in which data is encrypted and communicated by both the client and the server is defined, and data tampering due to interception on the network can be prevented.

  In SSL / TLS, a method for exchanging certificates according to the procedure shown in FIG. 3 is defined. That is, first, a ClientHello message including a list of usable encryption algorithms and the like is transmitted from the client (content reproduction device 100) to the server (server 101) (step S501). Next, the server transmits a Server Hello message including information indicating the encryption algorithm to be used among the encryption algorithms in the list to the client (step S502). Thereafter, a Certificate message including the server certificate is transmitted to the client (step S503), and by transmitting a ServerHelloDone message, the certificate transmission is terminated (step S504).

  The client encrypts the common key using the public key of the server acquired from the certificate transmitted from the server, and transmits a Client Key Exchange message including the encrypted common key to the server (step S505). Next, in order to prevent falsification of the message, the digest of the previous message is calculated, and a Finished message including the digest is transmitted to the server (step S506). On the other hand, the server obtains the common key, calculates the message digest in the same manner as the client, and transmits it to the client (step S507).

  In FIG. 3, by setting the client as the content playback device 100, the content playback device 100 acquires a server certificate (server certificate) corresponding to the domain name read from the specific area of the disk in step S503. (Step S7).

  The connected server name is collated with the server name included in the server certificate acquired from the server 101 (step S8). If the two match and the server authentication is successful, the server 101 is determined to be a legitimate server corresponding to the domain name stored in the specific area of the disc inserted in the content reproduction apparatus 100. Is done. If the connected server name and the server name included in the server certificate acquired from the server 101 do not match, it is determined that the server authentication has failed.

  The server authentication unit 23 records the value of the server authentication flag indicating whether or not the server authentication is successful in the connection destination management table shown in FIG. 18 stored in the connection management unit 21. If the server authentication is successful (step S9), the value of the server authentication flag is set to “1” (step S10). When server authentication fails (step S10), the value of the server authentication flag is set to “0” (step S11).

  While the server authentication flag is “1”, it indicates that the server 101 is valid. Therefore, when the validity of the server cannot be confirmed, the value of the server authentication flag is returned to “0”. For example, when a communication session with a server that has been successfully authenticated is disconnected, or when a predetermined time has elapsed, the server authentication unit 23 changes the value of the server authentication flag from “1” to “ Rewrite to "0".

  The authentication process in step S6 in FIG. 2 may be a unique authentication process based on a public key cryptosystem instead of SSL / TLS. A processing procedure in this case will be described.

  First, the disk reading unit 12 of the disk control unit 1 reads a public key stored in advance on the disk and stores it in a predetermined memory. Next, the server authentication unit 23 requests the server to transmit a certificate. The server that has received the request encrypts the certificate with the private key of the server and transmits it to the content reproduction apparatus. Upon receiving the certificate, the server authentication processing unit 23 decrypts the certificate with the public key, and collates the server name included in the decrypted certificate with the connected server name. If the two match and the server authentication is successful, the server 101 is determined to be a legitimate server corresponding to the domain name stored in the specific area of the disc inserted in the content reproduction apparatus 100. The server authentication flag “1” is stored. If the connected server name does not match the server name included in the decrypted certificate, it is determined that the server authentication has failed, and the server authentication flag “0” is stored.

  For example, if the server certificate contains the domain name of the server, it can be confirmed that the server is connected to a valid server.

  If the server authentication as described above fails, connection to the network is not performed even if a request for connection to the network occurs while the content playback device is playing back the content on the disc.

  When the server authentication as described above succeeds, it is guaranteed that the server is a valid server corresponding to the domain name recorded in the specific area of the disk, and a server that can be connected from the content playback device is connected. The server can be limited to the server corresponding to the domain name stored in the destination management table.

  If the server authentication is successful, then disk authentication is performed.

(1-2) Disc Authentication In disc authentication, it is checked whether or not the content data recorded on the disc inserted in the content reproduction apparatus is valid. When falsified content data (particularly falsified and illegal program) is recorded on the disc by performing disc authentication, accessing the legitimate server by executing the illegal program Can be avoided.

  The disk authentication process will be described below with reference to the flowchart shown in FIG.

  When the server authentication as shown in FIG. 2 is successful, the disk authentication unit 24 checks whether the domain name is stored in the connection destination management table and whether the server authentication is successful (step S21). When the domain name is not stored in the connection destination management table and the server authentication flag is “0” (step S21), the subsequent disk authentication processing is not performed. Accordingly, access to the network cannot be performed (step S22).

  When the domain name is stored in the connection destination management table and the server authentication flag is “1” (step S21), it corresponds to the domain name stored in the connection destination management table via the communication unit 4. A disk authentication request is transmitted to the server to be executed (step S23).

  The server that has received the disk authentication request randomly selects a recording area in which data that can identify the disk on the disk is recorded (step S24). Here, not only one but also a plurality of recording areas may be selected. Then, the content reproduction apparatus is requested to transmit the hash value of the data recorded in the selected recording area (step S25). At this time, it may be requested to transmit the data after encryption using a predetermined algorithm.

  When the content reproduction apparatus 100 receives this transmission request, the disc authentication processing unit 24 reads the data in the recording area designated by the server from the disc via the disc control unit 1 (step S26), and the read data Is calculated (step S27).

When it is requested to transmit after encryption from the server, this hash value is encrypted using a predetermined algorithm. The obtained hash value is transmitted to the server (step S28).

  The server includes a legitimate disk on which content data corresponding to the server is recorded. The server that has received the hash value reads data from the recording area selected in step S24 on the disk, and calculates the hash value. Then, the calculated hash value is compared with the hash value received from the content reproduction device (step S29). If they do not match (when disc authentication fails), the hash value is inserted into the current content reproduction device. It is determined that there is a possibility that the content data recorded on the disc is falsified. In this case, the server transmits an access non-permission notification to the content reproduction apparatus 100 (step S31).

  If the hash value calculated by the server matches the hash value received from the content playback device (when disc authentication is successful), the content data recorded on the disc currently inserted in the content playback device is It is determined that it has not been tampered with. In this case, the server transmits an access permission notification to the content reproduction device 100 (step S33).

  When the content reproduction apparatus 100 receives the access permission notification / access non-permission notification from the server, the disk authentication unit 24 stores the connection shown in FIG. 18 stored in the connection management unit 21 based on the content of the received notification. The value of the disk authentication flag indicating whether or not the disk authentication is successful is recorded in the destination management table. When the access permission notification is received and the disk authentication is successful, the value of the disk authentication flag is set to “1” (step S34). When the access non-permission notification is received and the disk authentication fails, the value of the disk authentication flag is set to “0” (step S32).

  In the disc authentication process, the server randomly selects a recording area in which data that can be identified by the disc is recorded for the disc on which the content data corresponding to the server is recorded, and is transmitted from the content playback device. Using the hash value of the data in the selected recording area, it is determined whether or not the data in the recording area has been tampered with.

  Instead of performing disc authentication using data in an arbitrary recording area on such a disc, data in the recording region on the disc where a program that may cause other harm if tampered is recorded Another disk authentication process using (program) will be described with reference to the flowchart shown in FIG. In FIG. 5, the same parts as those in FIG. 4 are denoted by the same reference numerals, and only different parts will be described.

  That is, step S24 in FIG. 4 is replaced with step S24a and step S24b in FIG. 5, step S25 in FIG. 4 is replaced with step S25a in FIG. 5, and step S27 in FIG. 4 is replaced with step S27a in FIG. Thus, step S29 in FIG. 4 is replaced with step S29a in FIG.

  In step S24a of FIG. 5, when the server receives the disk authentication request, a recording area on the disk in which a program that may cause other harm if tampered is selected. In this case, the server determines where the recording area of the program (the program that may cause other harm if tampered) is recorded on the disc on which the content data corresponding to the server is recorded. Pre-stored. Then, at least one of the recording areas where the program is recorded is selected. A plurality of recording areas may be selected.

  Next, in step S24b, the server generates a random data series. In step S25a, the content reproduction apparatus 100 is requested to transmit a hash value calculated from the generated data series and the data (program data) recorded in the recording area selected in step S24a. To do. At this time, it may be requested to transmit the data after encryption using a predetermined algorithm.

  When the content reproduction apparatus 100 receives this transmission request, the disc authentication processing unit 24 reads data in the recording area designated by the server from the disc via the disc control unit 1 (step S26). In step S27a, the read data and the data series sent from the server are connected to calculate a hash value of the entire data including the read data and the data series sent from the server. When it is requested to transmit after encryption from the server, this hash value is encrypted using a predetermined algorithm. The obtained hash value is transmitted to the server (step S28).

  The server includes a legitimate disk on which content data corresponding to the server is recorded. In step S29a, the server that has received the hash value reads the data from the recording area selected in step S24a on the disc, concatenates the read data and the data series generated in step S24b, and reads the read data. The hash value of the entire data including the data series generated in step S24b is calculated. Then, the calculated hash value is compared with the hash value received from the content reproduction apparatus (step 29a). Thereafter, as in FIG. 4, when the two do not match (when the disk authentication fails), the server transmits an access non-permission notification to the content reproduction device 100 (step S31), and the content reproduction device. Sets the disk authentication flag to “0” (step S32). When the hash value calculated by the server matches the hash value received from the content reproduction device (when disc authentication is successful), the server transmits an access permission notification to the content reproduction device 100 (step S1). (S33) The content reproduction apparatus sets the disc authentication flag to “1” (step S34).

  The disc authentication is valid until the disc is removed from the content reproduction apparatus. That is, when the disc is removed from the content playback apparatus, the disc authentication flag is rewritten to “0”.

  In the above description, whether or not the disk authentication is valid is determined based on the value of the disk authentication flag. However, as another method, a method using a validity period specified by the server (a period for guaranteeing the validity of the disk) and a session identifier is used. This will be described below. For example, when HTTP (Hyper Text Transfer Protocol) is used as a communication protocol, this can be realized by using Cookie.

  In step S33 of FIGS. 4 and 5, the server, together with the access permission notification, the valid period (for example, “300 seconds”) and the session identifier (for example, a random character string for identifying the content reproduction device generated by the server). Is transmitted to the disk authentication processing unit 24. The disk authentication processing unit 24 stores the validity period and the session identifier sent from the server in the connection destination management table stored in the connection management unit 24. Thereafter, as shown in FIG. 8, when communicating with the server in step S54, the server can confirm that the disk authentication is performed by adding this session identifier to the communication data to the server. The server rejects communication data to which a session identifier is not added even if it is sent from the content reproduction apparatus.

  The disc authentication processing unit 24 is saved when the saved validity period has passed or when an operation of the content playback device (for example, when the disc is removed by the user or the content being played back is stopped). The valid period value is set to “0”, and the session identifier is deleted. At this time, the disk authentication flag may be updated from “1” to “0”.

  After the stored effective period has elapsed, or after the effective period has become “0” by the above-described predetermined user operation, the effective period has become “0”, or the content data When the connection request to the network is generated during the reproduction / execution of the disk, the disk authentication is performed again.

  If the stored session identifier is deleted, it is not possible to communicate with the server in step S54 in FIG. 8, and therefore disk authentication is performed again.

  As described above, when the valid period is used, the valid period is “0” in step S53 in FIG. 8 in order to connect to the server in response to the connection request generated during the reproduction / execution of the content data. Not to be added as a condition. When using a session identifier, it is added as a condition that the session identifier is stored in step S53 of FIG.

  In the present embodiment, one server has been described as performing disk authentication processing corresponding to a certain content. However, a plurality of disk authentication processes can be performed by one server. In this case, for example, an identifier for uniquely identifying a disc or content is stored on the disc, and when the disc is authenticated, the identifier is read from the disc and transmitted to the server, so that the server can identify which disc. it can.

  (2) A case where server authentication and disk authentication are performed when an access request to the server (network) is generated after the disk is inserted into the content reproduction apparatus will be described with reference to the flowchart shown in FIG. In FIG. 6, the same parts as those in FIG. 2 are denoted by the same reference numerals, and only different parts will be described. That is, step S2 in FIG. 2 is replaced with step S12 in FIG.

  In the server authentication shown in FIG. 2, in step S2, when the disc is inserted into the content playback apparatus, the disc reading unit 12 obtains the domain name of the connection destination from a predetermined specific area on the disc. Read (step S3).

  On the other hand, in the server authentication shown in FIG. 6, after the disc is inserted into the content reproduction apparatus in step S12, an access request to the server (network) is made by executing a program recorded on the disc, for example. In response to the first occurrence, the disk reading unit 12 reads the domain name of the connection destination from a predetermined specific area on the disk (step S3). Subsequent processing operations are the same as the processing operations from step S4 to step S11 in FIG.

  After performing the server authentication process of FIG. 6, disk authentication as shown in FIG. 4 or FIG. 5 is performed.

  (3) Refer to the flowchart shown in FIG. 7 for another example in which server authentication and disk authentication are performed when a request for access to the server (network) occurs after a disk is inserted into the content reproduction apparatus. explain. In FIG. 7, the same parts as those in FIGS. 2 and 6 are denoted by the same reference numerals, and only different parts will be described. That is, in FIG. 7, as in FIG. 2, triggered by detecting insertion of a disc into the content playback device (step S <b> 2), the disc reading unit 12 starts from a predetermined specific area on the disc. The domain name of the connection destination is read (step S3). Then, the read domain name is recorded in the connection destination management table as shown in FIG. 18 stored in the memory in the connection destination management unit 21 (step S4). Up to this point, the process is the same as in FIG.

  7 is different from FIG. 2 in that the processing from step S5 to step S11 of the server authentication unit 23 is after the processing from step S12 to step S14 in FIG. That is, the disc detection unit 11 detects the insertion of the disc into the content reproduction apparatus, and the domain name read from the specific area of the disc is recorded in the connection destination management table (steps S1 to S1 in FIG. 7). Step S4). Thereafter, by executing the program recorded on the disc inserted in the content reproduction device, when a connection request to the server (network) is generated first, that is, the connection request is transmitted from the reproduction / execution control unit 3. When output (step S12 in FIG. 7), the connection request is detected by the connection destination verification unit 22 of the network access control unit 2. The connection destination verification unit 22 acquires the domain name of the connection destination specified by the program (step S13).

  The connection request generated by the playback / execution control unit 3 by executing the program recorded on the disc includes the domain name of the connection destination included in the program. The connection destination verification unit 22 acquires the domain name of the connection destination included in this connection request.

  Next, the connection destination verification unit 22 compares the acquired domain name with the domain name recorded in the connection destination management table (step S14), and if the two match, it is recorded in the connection management table. The server authentication process (steps S5 to S11) corresponding to the domain name is started.

  If the acquired domain name is different from the domain name recorded in the connection destination management table, the process is stopped here, and the server authentication process (steps S5 to S11) in the server authentication unit 23 is not performed. As a result, the content reproduction apparatus 100 does not connect to the network.

  When the acquired domain name matches the domain name recorded in the connection destination management table, the server authentication unit 23, as in FIG. 2, performs the server corresponding to the domain name recorded in the connection management table. The authentication process (steps S5 to S11) is started. That is, the server authentication unit 23 acquires a certificate from the server corresponding to the domain name recorded in the connection management table (steps S5 to S7), and stores the acquired certificate and the server authentication unit 23 in advance. If the registered certificates match and the server authentication is successful, the server authentication flag “1” is stored in the connection management table (steps S8 to S10). If the acquired certificate is different from the certificate stored in advance in the server authentication unit 23, the server authentication flag “0” is stored in the connection management table (step S8, step S9, step S11).

  After performing the server authentication process of FIG. 7, disk authentication as shown in FIG. 4 or FIG. 5 is performed.

  In the present embodiment, the method of performing the disc authentication process when (1) a disc is inserted into the content reproduction apparatus or (2) when an access request to the (network) is generated to the server has been described. At this time, if the replacement of the disc cannot be detected due to a malfunction of the content reproduction apparatus, there is a risk that the disc may be replaced with another disc after the disc authentication process.

  In this case, since the domain name, server recognition flag, and disk recognition flag in the connection destination management table are not deleted, the program stored on the replaced disk accesses the server with the domain name stored in the connection destination management table. It becomes possible to do.

  In order to avoid the risk, after the completion of the disk authentication process, the disk authentication unit 24 of the network access control unit has a certain timing based on a predetermined method (for example, a fixed period or an irregular period based on a random number), The disk authentication process may be executed repeatedly.

<Access control to limit the servers to be connected>
As shown in FIGS. 2 and 7, when the disc is inserted, the content reproduction apparatus 100 reads the domain name recorded in the specific area of the disc and records it in the connection destination management table. In the case of FIG. 2, server authentication and disk authentication are further performed, and “1” or “0” is recorded in the server authentication flag and the disk authentication flag.

  Next, a case where a network connection request is generated while the content reproduction apparatus 100 is reproducing content data on an inserted disc will be described with reference to the flowchart shown in FIG.

  The network connection request is recorded by (a) executing a program recorded on the disc after the disc is inserted into the content reproduction apparatus, and (b) recorded on the disc, for example, as will be described later. This occurs when a program or data downloaded from a network (server) already stored in the storage device 6 is played back and executed while the program is being executed.

  The network connection request is detected by the connection destination verification unit 22 of the network access control unit 2 as described above (step S51). The connection destination verification unit 22 acquires the domain name of the connection destination specified by the program that issued the network connection request (the program recorded on the disk or the program stored in the storage device 6) (step S52).

  When server authentication as shown in FIG. 7 is performed, a network connection request is first detected after inserting the disk in step S51 and step S52 (step S12 in FIG. 7), and the domain name of the connection destination Is acquired (step S13 in FIG. 7), server authentication is started, disk authentication is performed, and “1” or “0” is recorded in the server authentication flag and the disk authentication flag.

  Further, when performing the server authentication process as shown in FIG. 6, when a network connection request is detected for the first time after inserting the disk in step S51 and step S52 (step S12 in FIG. 6), The domain name recorded in the specific area of the disk is read out and recorded in the connection destination management table (steps S3 to S4 in FIG. 6). Thereafter, server authentication and disk authentication are performed, and “1” or “0” is recorded in the server authentication flag and the disk authentication flag.

  Accordingly, when a network connection request is detected in steps S51 and S52 in FIG. 8 and the domain name of the connection destination is acquired, the connection destination management table includes the domain in either case of FIG. 2, FIG. 6, or FIG. The name is recorded, and “1” or “0” is recorded in the server authentication flag and the disk authentication flag indicating the results of server authentication and disk authentication.

  The connection destination verification unit 22 (first condition) that the value of the server authentication flag is “1”, (second condition) that the value of the disk authentication flag is “1”, (third condition) ) In step S52, the following three conditions are satisfied: the domain name acquired from the network connection request source and the domain name recorded in the connection management table (domain name read from a specific area of the disk) match. Only when all are satisfied, connection to the server corresponding to the domain name recorded in the connection management table is permitted (step S53). If any one of the first to third conditions is not satisfied, connection to the network is not permitted (steps S53 and S55).

  If the connection verification unit 22 permits connection to the network, the communication unit 4 connects to the server corresponding to the domain name recorded in the connection management table, and reproduces / reproduces content data on the disc. Data, programs, and the like used for execution are received from the server (step S54). As a result, the reproduction / execution control unit 3 of the content reproduction apparatus 100 reproduces / executes the content data on the disc while communicating with the server (using data and programs downloaded from the server). .

  As described above, in the content playback device, server authentication, disk authentication, and access control as shown in FIG. 7 are performed, and the connection destination server is inserted into the content playback device when a network connection request occurs. By restricting the server to the server corresponding to the domain name recorded in the specific area of the disc, the content reproduction apparatus is prevented from becoming a stepping stone for DDoS attacks.

  In this embodiment, there is a one-to-one correspondence between disks and servers, and there is one server domain name stored in a specific area on the disk. When the domain name list consisting of the domain names is stored, the disk reading unit 12 reads the domain name list from the specific area in the same manner as when one domain name is stored in the specific area described above. Is held in the connection destination management table of the connection destination management unit 21. In this case, the server authentication process, the disk authentication process, and the access control process are performed on the identifiers of the servers described in the domain name list.

  For example, when a disk is inserted or when a connection request to the network occurs, the disk reading unit 12 reads the domain name list from a specific area of the disk and stores it in the connection destination management table (step S4). .

  The server authentication (steps S5 to S11) may be performed for each domain name on the domain name list immediately after reading. In addition, when a connection request to the network is generated by executing the program during content playback, if the domain name of the connection destination included in the program is included in the domain name list, You may make it perform the said server authentication about the server corresponding to a domain name.

  When a connection request to the network is generated by executing a program during content playback, if the domain name of the connection destination included in the program is included in the domain name list, the domain name is When the server authentication flag of the corresponding server is “1”, disk authentication is requested to the server corresponding to the domain name, and disk authentication is performed (steps S23 to S34).

<Storage control by storage controller and server>
In the content reproduction apparatus according to the present embodiment, data read from the disc, video / audio data downloaded from the server, programs, and the like are stored in the storage device 6 and used when necessary next time. Since the data stored in the storage device 6 can be accessed by anyone, problems such as leakage of stored personal information and the operation of the content reproduction device 100 due to execution of a falsified program occur. there is a possibility. In order to prevent these problems, the storage control unit 5 may be tampered with when storing data in the storage device 6, concealing the stored data, or when using data stored in the storage device 6. Whether or not the content reproduction device 100 uses the altered data. Such control in the storage controller 5 is referred to herein as storage control.

  A case where a data write request is generated while the content playback apparatus 100 is playing back content on a disc will be described with reference to the flowchart shown in FIG. The data write request is already stored in the storage device 6 when (a) executing the program recorded on the disk, and (b) executing the program recorded on the disk, for example. It is generated by an instruction from a user by playing back and executing data or a program downloaded from a network (server).

  The data stored in the storage device 6 in response to a data write request includes data (including a program) on the disc currently being played back, and data (program) downloaded from a server connected as shown in FIG. Etc.).

  In FIG. 9, when a data write request is generated (step S61) and the storage control unit 5 detects the data write request, the storage control unit 5 calculates a hash value of the data to be written (step S62). The hash value is calculated using, for example, MD5 or SHA-1.

  Next, in order to transmit the obtained hash value to the server (the server corresponding to the domain name registered in the connection destination management table), the connection destination verification unit 22 (first condition) of the server authentication flag Whether the value is “1” and (second condition) that the value of the disk authentication flag is “1” is checked. In particular, when a data write request is generated by executing a program and the connection destination is specified by the program, in addition to the first and second conditions, (third condition) ) Acquire the connection destination (for example, domain name) specified by the program that requested the data write request, and read the acquired domain name and the domain name recorded in the connection management table (from a specific area of the disk) The connection to the server corresponding to the domain name recorded in the connection management table is permitted only when all three conditions including the third condition that the domain name) match are satisfied ( Step S63). If any one of the above conditions is not satisfied, the connection to the network is not performed. Therefore, no data is written in the storage device 6 (step S64).

  When the connection destination verification unit 22 permits connection to the network, the process proceeds to step S65, and the content reproduction apparatus 100 connects to the server corresponding to the domain name registered in the connection destination table by the communication unit 4. The storage control unit 5 transmits the hash value of the data to be written to the server via the communication unit 4.

  When the server receives the hash value (step S66), it encrypts the received hash value using a secret key stored in advance in the server (step S67), and uses the encrypted hash value as a certificate. A reply is sent to the content reproduction apparatus 100 (step S68).

  When the content reproduction apparatus 100 receives the certificate transmitted from the server (step S69), the storage control unit 5 stores the file name of the data to be written (data file name) and the file name (certification of the received certificate data). Certificate file name) and an identifier (for example, the domain name of the server in this case) of the encrypted server (in this case, the server corresponding to the domain name registered in the connection destination management table) Is recorded in the management table provided in the storage device 6 (step S70). Further, the data (data file) to be written to the storage device 6 and the received certificate (certificate file) are stored in the storage device 6 (step S71).

  Next, when a content read request is generated for data stored in the storage device 6 as shown in FIG. This will be described with reference to the flowchart shown in FIG. The data read request is already stored in the storage device 6 when (a) executing the program recorded on the disk, and (b) executing the program recorded on the disk, for example. It is generated by an instruction from a user by playing back and executing data or a program downloaded from a network (server).

  In FIG. 10, when a data read request is generated (step S75) and the storage control unit 5 detects the data read request, the storage control unit 5 refers to the management table and the certificate corresponding to the data file name to be read. The file name and the server domain name are acquired (step S76). Further, the data file having the data file name and the certificate file corresponding to the certificate file name are read from the storage device 6 (step S77). Then, the storage controller 5 calculates the hash value of the data in the read data file (step S78).

  Next, in order to transmit the obtained hash value and the certificate data in the certificate file to the server (the server corresponding to the domain name registered in the connection destination management table), the connection destination verification unit 22 ( (First condition) The value of the server authentication flag is “1”, (Second condition) The value of the disk authentication flag is “1”, (Third condition) The domain name acquired in step S76 And the domain name recorded in the connection management table (the domain name read from a specific area of the disk) match only when all three conditions are satisfied. Connection to the server corresponding to the domain name is permitted (step S79). If any one of the above conditions is not satisfied, the connection to the network is not performed. Therefore, data is not read from the storage device 6 (step S80).

  If the connection verification unit 22 permits the connection to the network, the process proceeds to step S81, and the communication unit 4 causes the content reproduction apparatus 100 to connect to the server corresponding to the domain name registered in the connection destination table. Then, the storage control unit 5 transmits the hash value and certificate of the read data to the server via the communication unit 4 (Step S81).

  When the server receives the hash value and the certificate (step S82), it uses the same secret code stored in the server in advance, and encrypts the received hash value in step S67 of FIG. Encryption is performed using a method (step S83), and the encrypted hash value is checked against the certificate transmitted from the content reproduction apparatus (step S84). If the encrypted hash value matches the received certificate, “OK” is transmitted as a verification result to the content reproduction device. If the two are different, the verification result is “NG” to the content reproduction device. Transmit (step S85).

  When the content reproduction device 100 receives the collation result (step S86), the storage control unit 5 reproduces the data in the data file read from the storage device 6 when the collation result is “OK” (step S87). -It outputs to the execution control part 3 (step S88). If the collation result is “NG” (step S 87), the storage control unit 5 discards the data in the data file read from the storage device 6 instead of outputting it to the reproduction / execution control unit 3. A message indicating “unreadable” is output to the reproduction / execution control unit 3 (step S89).

  If the encrypted hash value is different from the received certificate in step S84, that is, if the authentication by the storage control fails, the data in the data file read from the storage device 6 in step S77. Means that it may have been tampered with. The storage control unit 5 increases the security of the content reproduction device 100 by preventing access to data stored in the storage device 6 that may be falsified (step S89). Can do.

  The storage control shown in FIGS. 9 and 10 shows a case where authentication is performed using a certificate of the data when the data stored in the storage device 6 is read.

  Next, storage control when the data stored in the storage device 6 is concealed (so as not to be tampered with) will be described with reference to the flowcharts shown in FIGS. 11 and 12.

  First, a case where a data write request is generated when content playback apparatus 100 is playing back content on a disc will be described with reference to the flowchart shown in FIG.

  In FIG. 11, when a data write request is generated (step S101), the connection destination verification unit 22 (first condition) the value of the server authentication flag is “1”, and (second condition) the disk authentication flag. Whether the value of “1” is “1” is satisfied. In particular, when a data write request is generated by executing a program and the connection destination is specified by the program, in addition to the first and second conditions, (third condition) ) Acquire the connection destination (for example, domain name) specified by the program that requested the data write request, and read the acquired domain name and the domain name recorded in the connection management table (from a specific area of the disk) The connection to the server corresponding to the domain name recorded in the connection management table is permitted only when all three conditions including the third condition that the domain name) match are satisfied ( Step S102). If any one of the above conditions is not satisfied, the connection to the network is not performed. Therefore, no data is written in the storage device 6 (step S103).

  If the connection destination verification unit 22 permits connection to the network, the process proceeds to step S104, and the content reproduction apparatus 100 connects to the server corresponding to the domain name registered in the connection destination table by the communication unit 4. Then, the storage control unit 5 transmits the data to be written to the server via the communication unit 4 (step S104).

  In the server that has received the data (step S105), the received data is encrypted using a secret key stored in advance in the server (step S106), and the encrypted data is returned to the content reproduction device 100 (step S106). Step S107).

  When the content reproduction apparatus 100 receives the encrypted data transmitted from the server (step S108), the storage control unit 5 performs encryption with the file name (data file name) of the encrypted data. A record in the storage control unit 5 is recorded with a set of identifiers (for example, the domain name of the server in this case) of the server (in this case, the server corresponding to the domain name registered in the connection destination management table). (Step S109). Further, the data (data file) encrypted in the storage device 6 is stored in the storage device 6 (step S110). The data concealed as described above is stored in the storage device 6.

  Next, when the content playback device 100 is playing back the content on the disc, a data read request is generated for the concealed data stored in the storage device 6 as shown in FIG. This case will be described with reference to the flowchart shown in FIG. The data read request is already stored in the storage device 6 when (a) executing the program recorded on the disk, and (b) executing the program recorded on the disk, for example. It is generated by an instruction from a user by playing back and executing data or a program downloaded from a network (server).

  In FIG. 12, when a data read request is generated (step S121), the storage control unit 5 refers to the management table and acquires the server domain name corresponding to the data file name to be read (step S122). Further, the data file having the data file name is read from the storage device 6 (step S123).

  In order to decrypt the data in the read data file, the connection destination verification unit 22 (first condition) that the value of the server authentication flag is “1”, (second condition) disk authentication flag Is the value of “1”, (third condition) the domain name acquired in step S122 matches the domain name recorded in the connection management table (the domain name read from the specific area of the disk). Only when all three conditions are satisfied, connection to the server corresponding to the domain name recorded in the connection management table is permitted (step S124). If any one of the above conditions is not satisfied, the connection to the network is not performed. Accordingly, data is not read from the storage device 6 (step S125).

  If the connection destination verification unit 22 permits connection to the network, the process proceeds to step S126, and the content reproduction device 100 connects to the server corresponding to the domain name registered in the connection destination table by the communication unit 4. To do. The storage control unit 5 transmits the encrypted data in the read data file to the server via the communication unit 4 (step S126).

  When the server receives the encrypted data (step S127), the server decrypts it using the secret key stored in advance in the server and the same encryption method as that used in the encryption in step S106 of FIG. 11 (step S127). S128). If the decryption is successful (step S129), the decrypted data “OK” and the decrypted data are transmitted to the content reproduction device (step S130). If the decryption fails (step S129), the collation result “ NG "is transmitted to the content reproduction apparatus (step S131).

  When the content reproduction apparatus 100 receives the decryption result (step S132), the storage control unit 5 outputs the decrypted data to the reproduction / execution control unit 3 when the decryption result is “OK” (step S133) (step S133). Step S134). If the decryption result is “NG” (step S133), the storage control unit 5 discards the data in the data file read from the storage device 6 and controls the reproduction / execution of the message indicating “unreadable”. It outputs to the part 3 (step S135).

  In the storage control, data cannot be written and read when connection to a server (network) is not performed. Hereinafter, a processing method for performing writing and reading of data when connection to a server (network) is not performed will be described.

  First, the writing process will be described. In step S64 of FIG. 9 and step S103 of FIG. 11, when the connection to the network becomes impossible, an authentication confirmation flag stored in advance in the storage control unit 5 is read. The authentication confirmation flag stores a value indicating whether or not to read / write when connection to the network is disabled (for example, “1” when read / write is permitted, “0” when not permitted). Yes. When the value of the authentication confirmation flag is “1”, the storage controller 5 stores the data without certificate generation or encryption (that is, emptying the certificate file name in the management table or the server domain name). Write to 6. In the case of “0”, writing is not performed.

  Next, in the read process, as in the write process, if connection to the network is disabled in step S80 of FIG. 10 and step S125 of FIG. 12, an authentication confirmation flag stored in advance in the storage control unit 5 is read. . When the value of the authentication confirmation flag is “1”, the storage control unit 5 reads the data from the storage device 6 without certificate confirmation or decryption, and outputs it to the reproduction / execution control means 3. When “0”, reading is not performed.

  In the above description, the authentication confirmation flag is used in common for both writing and reading processing, but separate authentication confirmation flags may be prepared for writing and reading.

  In addition, when a write request is detected in the write process, an authentication confirmation flag stored in advance in the storage control unit 5 is read, and the authentication confirmation flag permits reading and writing without creating or encrypting a certificate. In the case of “1”, the storage control unit 5 does not generate a certificate or encrypts (that is, whether it is a connection to the network or not) (that is, the certificate file name in the management table and the server domain). Write data to storage device 6 (with empty name). When the authentication confirmation flag is “0”, as described above, writing is performed after creating and encrypting the certificate. Here, when the connection to the server cannot be established (step S64 in FIG. 9 and step S103 in FIG. 11), such data writing is not performed.

  Further, in the read process, when a read request is detected, an authentication confirmation flag stored in advance in the storage control unit 5 is read, and the authentication confirmation flag permits reading without verifying or decrypting the certificate. In the case of “1”, the storage control unit 5 reproduces the data read from the storage device 6 without verifying or decrypting the certificate (regardless of whether connection to the network is possible or not). Output to. When the authentication confirmation flag is “0”, as described above, the data read from the storage device 6 is verified and decrypted, and then output to the reproduction / execution control means 3.

  In the above description, the authentication confirmation flag is used in common for both writing and reading processing, but separate authentication confirmation flags may be prepared for writing and reading.

<Storage control by storage control unit and content protection unit>
The storage control is performed between the storage control unit 5 and the server. Such storage control can also be performed inside the content reproduction apparatus 100.

  For example, the content on the disc is encrypted by a content protection technology such as AACS (Advanced Access Content System), the key used for encryption is concealed on the disc, and the content playback apparatus 100 uses the key. In the case of reproducing content using the content reproduction device 100, the content reproduction device 100 has a content protection unit 7 that performs encryption / decryption using a key concealed on the disc, as shown in FIG.

  In the content reproduction apparatus shown in FIG. 13, the storage control is performed by the content protection unit 7 and the storage control unit 6 using the content protection unit 7.

  First, storage control for performing authentication when reading data stored in the storage device 6 (corresponding to FIGS. 9 and 10) will be described with reference to flowcharts shown in FIGS.

  A case where a data write request is generated while the content playback apparatus 100 is playing back content on a disc will be described with reference to the flowchart shown in FIG. In FIG. 14, the same parts as those in FIG. 9 are denoted by the same reference numerals, and different parts will be described.

  In FIG. 14, since it is not necessary to access the network, steps S63 and S64 in FIG. 9 are omitted. That is, in FIG. 14, a data write request is generated (step S61), and when the storage control unit 5 calculates the hash value of the data to be written (step S62), the hash value is output to the content protection unit 7 (step S65). ).

  When the hash value is input to the content protection unit 7 (step S66), the hash value is encrypted using the key acquired from the currently playing disc and an arbitrary encryption method (step S67). The encrypted hash value is output as a certificate to the storage control unit 5 (step S68).

  When the certificate is input to the storage controller 5 (step S69), the storage controller 5 reads the file name of the data to be written (data file name) and the file name of the received certificate data (certificate file name). ) And the identifier of the encrypted content protection unit 7 is recorded in a management table provided in a memory in the storage control unit 5 (step S70). Further, the data (data file) to be written to the storage device 6 and the received certificate (certificate file) are stored in the storage device 6 (step S71).

  Here, the record recorded in the management table is in the same format as in FIG. 9, and an identifier indicating whether the entity that performed encryption for certificate creation is the server or the content protection unit 7 is written. The content reproduction apparatus can perform both storage control as shown in FIGS. 9 and 10 and storage control as shown in FIGS. When the content reproduction apparatus performs only storage control as shown in FIG. 14 in FIGS. 9 and 14, it is not necessary to record the identifier of the content protection unit 7 in the management table.

  Next, in the case where a content read request is generated for data stored in the storage device 6 as shown in FIG. This will be described with reference to the flowchart shown in FIG. In FIG. 15, the same parts as those in FIG. 10 are denoted by the same reference numerals, and different parts will be described.

  In FIG. 15, since it is not necessary to access the network, steps S79 and S80 in FIG. 10 are omitted. That is, in FIG. 15, a data read request is generated (step S75), and the storage control unit 5 acquires the certificate file name corresponding to the data file name to be read and the identifier of the content protection unit 7 from the management table ( Step S76). Further, the storage control unit 5 reads out the data file having the data file name and the certificate file corresponding to the certificate file name from the storage device 6 (step S77), and hashes the data in the read data file. A value is calculated (step S78). In this case, since the identifier obtained from the management table is the identifier of the content protection unit 7, the hash value and the read certificate are output to the content protection unit 7 (step S81).

  If the server identifier (domain name) is obtained from the management table, it is the same as FIG.

  When the hash value and certificate are input to the content protection unit 7 (step S82), the input hash value is encrypted in step S67 of FIG. 14 using the key acquired from the currently playing disc. Encryption is performed using the same encryption method as that used (step S83), and the encrypted hash value is collated with the input certificate (step S84). If the encrypted hash value matches the input certificate, the verification result “OK” is output to the storage control unit 5. If the two are different, the verification result “NG” is output to the storage control unit. 5 (step S85).

  When the collation result is input to the storage control unit 5 (step S86), the storage control unit 5 selects the data in the data file read from the storage device 6 when the collation result is “OK” (step S87). Is output to the reproduction / execution control unit 3 (step S88). If the collation result is “NG” (step S 87), the storage control unit 5 discards the data in the data file read from the storage device 6 instead of outputting it to the reproduction / execution control unit 3. A message indicating “unreadable” is output to the reproduction / execution control unit 3 (step S89).

  Next, storage control (corresponding to FIGS. 11 and 12) for storing the data after encrypting the data in the storage device 6 will be described with reference to the flowcharts shown in FIGS. .

  A case where a data write request is generated while the content playback apparatus 100 is playing back content on a disc will be described with reference to the flowchart shown in FIG. In FIG. 16, the same parts as those in FIG. 11 are denoted by the same reference numerals, and different parts will be described.

  In FIG. 16, since it is not necessary to access the network, steps S102 and S103 in FIG. 11 are omitted. That is, in FIG. 16, when a data write request occurs (step S101), the storage control unit 5 outputs data to be written to the content protection unit 7 (step S104).

  When data is input to the content protection unit 7 (step S105), the input data is encrypted using the key acquired from the currently playing disc (step S106), and the encrypted data is stored in the storage. It outputs to the control part 5 (step S107).

  When the encrypted data is input to the storage control unit 5 (step S108), the storage control unit 5 includes the file name (data file name) of the encrypted data and the encrypted content protection unit 7 A record with a set of identifiers is recorded in a management table provided in the storage device 6 (step S109). Further, the data (data file) encrypted in the storage device 6 is stored in the storage device 6 (step S110).

  Here, the record recorded in the management table is in the same format as in FIG. 11, and by writing an identifier indicating whether the main subject of encryption is the server or the content protection unit 7, the content playback apparatus Both the storage control shown in FIGS. 11 and 12 and the storage control shown in FIGS. 16 and 17 can be performed. When the content playback apparatus performs only storage control as shown in FIG. 16 in FIGS. 11 and 16, it is not necessary to record the identifier of the content protection unit 7 in the management table.

  Next, when a content read request is generated for data stored in the storage device 6 as shown in FIG. This will be described with reference to the flowchart shown in FIG. In FIG. 17, the same parts as those in FIG. 12 are denoted by the same reference numerals, and different parts will be described.

  In FIG. 17, since it is not necessary to access the network, step S124 and step S125 of FIG. 12 are omitted. That is, in FIG. 17, when a data read request is generated (step S121), the storage control unit 5 acquires the identifier of the content protection device corresponding to the data file name to be read from the management table (step S122). 6, the data file having the data file name is read out (step S123). In this case, since the identifier of the content protection unit 7 is obtained from the management table, the storage control unit 5 outputs the encrypted data in the read data file to the content protection unit 7 (step S126). ).

  When the encrypted data is input to the content protection unit 7 (step S127), the content protection unit 7 is the same as the key acquired from the currently playing disc and the encryption performed in step S106 of FIG. Decryption is performed using an encryption method (step S128). If the decryption is successful (step S129), the decrypted data “OK” and the decrypted data are output to the storage control unit 5 (step S130). If the decryption fails (step S129), the collation result “NG” is output to the storage controller 5 (step S131).

  When the decryption result is input to the storage control unit 5 (step S132), the storage control unit 5 outputs the decrypted data to the reproduction / execution control unit 3 when the decryption result is “OK” (step S133). (Step S134). If the decryption result is “NG” (step S133), the storage control unit 5 discards the data in the data file read from the storage device 6 and controls the reproduction / execution of the message indicating “unreadable”. It outputs to the part 3 (step S135).

  In the storage control by the storage control unit 5 and the server and the storage control by the storage control unit 5 and the content protection unit 7 described above, authentication is performed using the certificate of the data when reading the data stored in the storage device 6. Although the case where it carries out and the case where the data memorize | stored in the memory | storage device 6 were encrypted were demonstrated, storage control can also be performed combining these.

  For example, when writing arbitrary data to the storage device 6, the storage control unit 5 passes the data and the hash value of the data to the server or the content protection unit 7. The server or content protection unit 7 encrypts the received hash value to generate a certificate, encrypts the received data, and returns the generated certificate and encrypted data to the storage control unit 5. The storage control unit 5 stores the received certificate and encrypted data in the storage device 6.

  When reading data from the storage device 6, the storage control unit 5 reads the encrypted data and certificate stored in the storage device 6 and passes them to the server or the content protection unit 7. After decrypting the encrypted data, the content protection unit 7 calculates a hash value and further encrypts the hash value. The server or content protection unit 7 collates the encrypted hash value with the certificate, and returns the decrypted data to the storage control unit 5 if they match. The storage control unit 5 outputs the received data to the reproduction / execution control unit 3.

  In the above description, hash values are used everywhere, but hash values are identification information generated from given data, so that the original text cannot be estimated from the generated identification information. It has become.

  The storage device 6 is not particularly limited, such as a removable recording medium such as a hard disk or a memory card, or any storage device provided on a network.

  When the disk detection unit 11 detects the insertion of a disk, the connection destination management unit 21 reads the domain name from the specific area of the disk and stores the domain name in the connection destination management table. When the unit 11 detects the removal of the disk, the connection destination management unit 21 deletes the domain name from the connection destination management table. Also, while the disc is inserted into the content playback apparatus 100, a network connection request is detected, and after connecting to the server corresponding to the domain name stored in the connection destination management table, for some reason, When communication with the server is disconnected, the domain name is deleted from the connection destination management table. Further, when the server authentication flag and the disk authentication flag stored in the connection destination management table are “1”, they may be rewritten to “0”.

  According to the above embodiment, when a disc is inserted into the content reproduction apparatus, an identifier (domain name) indicating a server on the network is read from a predetermined specific storage area of the disc, and is stored in the connection destination management table. If a connection request to any server on the network is detected during playback / execution of content data including video / audio data and programs stored in the disk, The identifier (domain name) matches the domain name stored in the connection destination management table, the validity of the server corresponding to the domain name stored in the connection destination management table is confirmed, and the validity of the disk is confirmed. When confirmed, it connects to the server corresponding to the domain name stored in the connection destination management table. According to the content reproduction apparatus having such a configuration, a server connected to the disk during reproduction / execution of content data or a program recorded on the disk can be prevented from being executed / reproduced. The server can be limited to the server corresponding to the domain name stored in the upper specific area.

  In order to verify the legitimacy of the server and the disk on the network, the video information related to the content on the disk can be obtained and reproduced with peace of mind via the Internet. In addition, by limiting the servers that can be connected, dangerous content created with malicious intent cannot be connected to an unspecified number of servers, so that it can be avoided that it becomes a stepping stone for DDoS attacks. For this reason, it is possible not only to avoid damage caused by playing dangerous content, but also to be a perpetrator of attacks on other servers.

  The method of the present invention described in the embodiment of the present invention is a program that can be executed by a computer, such as a magnetic disk (flexible disk, hard disk, etc.), an optical disk (CD-ROM, DVD, etc.), a semiconductor memory, etc. It can be stored in a medium and distributed.

  For example, content data including video / audio data and a program is stored, and content data stored in a recording medium storing an identifier indicating a server on the network is reproduced / executed in a predetermined specific storage area. A computer having reproduction / execution means (disk control unit 1, reproduction / execution control unit 3), storage means, and communication unit 4 realizes the functions of the network access control unit 2, the storage control unit 6, and the content protection unit 7. The content reproduction apparatus of FIG. 1 is realizable when the said computer runs the program for this.

  Note that the present invention is not limited to the above-described embodiment as it is, and can be embodied by modifying the constituent elements without departing from the scope of the invention in the implementation stage. In addition, various inventions can be formed by appropriately combining a plurality of components disclosed in the embodiment. For example, some components may be deleted from all the components shown in the embodiment. Furthermore, constituent elements over different embodiments may be appropriately combined.

The figure which showed the structural example of the content reproduction apparatus which concerns on embodiment of this invention. The flowchart for demonstrating server authentication processing operation | movement (server authentication performed at the time of disk insertion). The figure which showed an example of the authentication procedure used for server authentication. The flowchart for demonstrating disk authentication processing operation. 12 is a flowchart for explaining another disk authentication processing operation. The flowchart for demonstrating other server authentication processing operation | movement (server authentication performed when a network connection request | requirement generate | occur | produces). 12 is a flowchart for explaining still another server authentication processing operation (server authentication performed when a network connection request occurs). 6 is a flowchart for explaining a processing operation of the content reproduction apparatus when a network connection request is generated during disk reproduction. The flowchart for demonstrating the storage control process (The processing operation of a content reproduction apparatus and a server when a data write request generate | occur | produces) by a storage control part and a server. The flowchart for demonstrating the storage control processing (The processing operation of a content reproduction apparatus and a server when a data read-out request | requirement generate | occur | produces) by a storage control part and a server. The flowchart for demonstrating the other storage control processing (The processing operation of a content reproduction apparatus and a server when a data write request generate | occur | produces) by a storage control part and a server. The flowchart for demonstrating the other storage control processing (The content reproduction apparatus and server processing operation when a data read-out request | requirement generate | occur | produces) by a storage control part and a server. The figure which showed the other structural example of the content reproduction apparatus. The flowchart for demonstrating the storage control (processing operation of a storage control part and a content protection part when a data write request generate | occur | produces) by a storage control part and a content protection part. The flowchart for demonstrating the storage control (processing operation of a storage control part and a content protection part when a data read request generate | occur | produces) by a storage control part and a content protection part. The flowchart for demonstrating the other storage control (The processing operation of a storage control part and a content protection part when a data write request generate | occur | produces) by a storage control part and a content protection part. The flowchart for demonstrating the other storage control (The processing operation of a storage control part and a content protection part when a data read request generate | occur | produces) by a storage control part and a content protection part. The figure which showed an example of the connection destination management table memorize | stored in the connection destination management part.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 ... Disk control part, 2 Network access control part, 3 ... Playing / execution control part, 4 ... Communication part, 5 ... Storage control part, 6 ... Storage device, 7 ... Content protection part, 11 ... Disk detection part, 12 ... Disc reading unit, 21 ... connection destination management unit, 22 ... connection destination verification unit, 23 ... server authentication unit, 24 ... disc authentication unit, 100 ... content reproduction device, 101 ... server.

Claims (29)

Reproduction / execution means for reproducing and executing the content data from a recording medium that stores video / audio data and content data including a program, and storing an identifier indicating a server that is permitted to access the network,
Reading means for reading an identifier indicating the server to which access is permitted from the recording medium;
Storage means for storing the read identifier;
When a connection request to an identifier of a server on the network included in the program is detected during playback and execution by the playback / execution means, the detected identifier matches the identifier stored in the storage means. Identifier verification means for verifying whether or not,
Server verification means for verifying the validity of the server corresponding to the identifier stored in the storage means;
A server corresponding to the identifier stored in the storage means communicates with the server in order to verify the validity of the recording medium using data read from the storage area on the recording medium. Communication means to perform;
When the identifier of the server included in the program matches the identifier stored in the storage unit, and the validity of the server corresponding to the identifier stored in the storage unit and the validity of the recording medium are verified Connection means for receiving the connection request and connecting to a server corresponding to the identifier stored in the storage means;
A content playback apparatus comprising: The communication means includes
In order to verify the validity of the recording medium at the server corresponding to the identifier stored in the storage means, identification of the data from the data read from the storage area on the recording medium designated by the server Generating means for generating information;
Transmitting means for transmitting the identification information to a server corresponding to the identifier stored in the storage means;
Receiving means for receiving a verification result of the recording medium from a server corresponding to the identifier stored in the storage means;
The content reproduction apparatus according to claim 1, further comprising:   2. The content reproducing apparatus according to claim 1, wherein the reading unit reads the identifier from the recording medium when the recording medium is inserted into the content reproducing apparatus.   When the server identifier included in the program matches the identifier stored in the storage unit, the server verification unit verifies the validity of the server corresponding to the identifier stored in the storage unit, and the storage unit 2. The content reproducing apparatus according to claim 1, wherein the validity of the recording medium is verified when the validity of the server corresponding to the identifier stored in (2) is verified.   2. The content reproducing apparatus according to claim 1, wherein the validity of the recording medium is verified when the validity of the server corresponding to the identifier stored in the storage means is verified by the server verification means.   When the identifier of the server included in the program matches the identifier stored in the storage unit, and the validity of the server corresponding to the identifier stored in the storage unit and the validity of the recording medium are verified 2. The content reproduction apparatus according to claim 1, wherein the server corresponding to the identifier stored in the storage means is a specific server predetermined for content data stored in the recording medium. .   If the connection request is detected after the validity of the server corresponding to the identifier stored in the storage means and the validity of the recording medium are verified, the connection means is a server included in the program. 2. The content reproduction apparatus according to claim 1, wherein when the identifier stored in said storage means matches with the identifier stored in said storage means, a connection is made to a server corresponding to the identifier stored in said storage means.   3. The content reproduction apparatus according to claim 2, wherein the storage area on the recording medium designated by the server corresponding to the identifier stored in the storage means is a storage area in which the program is stored.   The generating means is based on the data series transmitted from the server corresponding to the identifier stored in the storage means and the data read from the storage area on the recording medium designated by the server. The content reproduction apparatus according to claim 2, wherein: First detection means for detecting a write request for arbitrary data during reproduction / execution of the content data by the reproduction / execution means;
Means for generating identification information of the arbitrary data when the write request is detected by the first detection means;
Means for generating a certificate of the arbitrary data by encrypting the identification information;
Means for storing the arbitrary data and the certificate in a storage device;
The content reproduction apparatus according to claim 1, further comprising: Second detection means for detecting a read request for data stored in the storage device during reproduction / execution of the content data by the reproduction / execution means;
Means for reading the data and the certificate from the storage device when the read request is detected by the second detection means;
Means for generating identification information of the read data;
Means for encrypting the identification information;
Means for outputting the read data to the reproduction / execution means when the encrypted identification information matches the certificate;
The content playback apparatus according to claim 10, further comprising: First detection means for detecting a write request for arbitrary data during reproduction / execution of the content data by the reproduction / execution means;
Means for generating encrypted data by encrypting the arbitrary data when the write request is detected by the first detection means;
Means for storing the encrypted data in a storage device;
The content reproduction apparatus according to claim 1, further comprising: Second detection means for detecting a read request for encrypted data stored in the storage device during reproduction / execution of the content data by the reproduction / execution means;
Means for reading out the encrypted data from the storage device when the read request is detected by the third detection means;
Means for decrypting the read encrypted data;
Means for outputting the decrypted data to the reproduction / execution means;
The content playback apparatus according to claim 12, further comprising: First detection means for detecting a write request for arbitrary data during reproduction / execution of the content data by the reproduction / execution means;
Means for generating identification information of the arbitrary data when the write request is detected by the first detection means;
Means for transmitting the identification information to a server corresponding to the identifier stored in the storage means;
Means for receiving a certificate of the arbitrary data generated based on the identification information from a server corresponding to the identifier stored in the storage means;
Means for storing the arbitrary data and the certificate in a storage device;
The content reproduction apparatus according to claim 1, further comprising: Second detection means for detecting a read request for data stored in the storage device during reproduction / execution of the content data by the reproduction / execution means;
Means for reading the data and the certificate from the storage device when the read request is detected by the second detection means;
Means for generating identification information of the read data;
Means for transmitting the identification information and the certificate to a server corresponding to the identifier stored in the storage means;
Means for receiving a verification result of the identification information from a server corresponding to the identifier stored in the storage means;
Means for outputting the read data to the reproduction / execution means when receiving a verification result that the identification information is valid;
The content reproduction apparatus according to claim 14, further comprising: First detection means for detecting a write request for arbitrary data during reproduction / execution of the content data by the reproduction / execution means;
Means for transmitting the arbitrary data to a server corresponding to the identifier stored in the storage means when the write request is detected by the first detection means;
Means for receiving encrypted data from a server corresponding to the identifier stored in the storage means;
Means for storing the encrypted data in a storage device;
The content reproduction apparatus according to claim 1, further comprising: Second detection means for detecting a read request for encrypted data stored in the storage device during reproduction / execution of the content data by the reproduction / execution means;
Means for reading the encrypted data from the storage device when the read request is detected by the second detection means;
Means for transmitting the read encrypted data to a server corresponding to the identifier stored in the storage means;
Means for receiving decrypted data from a server corresponding to the identifier stored in the storage means;
Means for outputting the received data to the reproduction / execution means;
The content reproduction apparatus according to claim 16, further comprising: The receiving means receives a validity period of the validity of the recording medium from a server corresponding to the identifier stored in the storage means, together with a notification indicating that the validity of the recording medium has been verified,
The communication means communicates with the server in order to verify the validity of the recording medium when the validity period has elapsed and when a predetermined user operation is performed. The content reproduction apparatus according to claim 2, wherein: The receiving means receives the identification information of the content reproduction apparatus together with a notification indicating that the validity of the recording medium has been verified from the server corresponding to the identifier stored in the storage means, and the identification information Is stored in the storage means,
The connection means receives the connection request and transmits identification information of the content reproduction apparatus to the server when connecting to a server corresponding to the identifier stored in the storage means. Item 3. A content playback apparatus according to Item 2. The receiving means corresponds to the identifier stored in the storage means, together with a notification indicating that the validity of the recording medium has been verified, and the identification information of the content reproduction apparatus and the validity period of the validity of the recording medium Received from the server
20. The content reproduction apparatus according to claim 19, wherein the identification information of the content reproduction apparatus is deleted from the storage unit when the valid period has elapsed and when a predetermined user operation is performed.   The communication means communicates with the server in order to verify the validity of the recording medium at regular intervals or irregularly after the validity of the recording medium is verified. The content reproduction apparatus according to claim 1, wherein   The connection means receives the write request and corresponds to the identifier stored in the storage means when the validity of the server corresponding to the identifier stored in the storage means and the validity of the recording medium are verified. 17. The content reproduction apparatus according to claim 14, wherein the content reproduction apparatus is connected to a server.   When the validity of the server corresponding to the identifier stored in the storage means and the validity of the recording medium are verified, the connection means receives the read request and corresponds to the identifier stored in the storage means 18. The content reproduction apparatus according to claim 15, wherein the content reproduction apparatus is connected to a server. Means for storing a flag to permit writing of the data for which the certificate is not generated to the storage device;
Means for storing the arbitrary data in the storage device when the permission flag is stored when the write request is detected by the first detection means;
The content reproduction apparatus according to claim 14, further comprising: Means for storing a flag indicating that reading is permitted without performing verification using the certificate;
Means for outputting the data read from the storage device to the reproduction / execution means when the permission flag is stored when the read request is detected by the second detection means; When,
The content reproduction apparatus according to claim 15, further comprising: Means for storing a flag indicating that writing of unencrypted data to the storage device is permitted;
Means for storing the arbitrary data in the storage device when the permission flag is stored when the write request is detected by the first detection means;
The content reproduction apparatus according to claim 16, further comprising: Means for storing a flag indicating that reading is permitted without decryption;
Means for outputting the data read from the storage device to the reproduction / execution means when the permission flag is stored when the read request is detected by the second detection means; When,
The content playback apparatus according to claim 17, further comprising: A first step of storing content data including video / audio data and a program, and reproducing and executing the content data from a recording medium storing an identifier indicating a server to which access is permitted on the network;
A second step of reading an identifier indicating the server to which access is permitted from the recording medium;
A third step of storing the read identifier in a storage means;
When a connection request to a network server identifier included in the program is detected during playback and execution in the first step, the detected identifier matches the identifier stored in the storage means. A fourth step of verifying whether or not,
A fifth step of verifying the validity of the server corresponding to the identifier stored in the storage means;
A server corresponding to the identifier stored in the storage means communicates with the server in order to verify the validity of the recording medium using data read from the storage area on the recording medium. A sixth step to perform;
When the identifier of the server included in the program matches the identifier stored in the storage unit, and the validity of the server corresponding to the identifier stored in the storage unit and the validity of the recording medium are verified A seventh step of receiving the connection request and connecting to a server corresponding to the identifier stored in the storage means;
A content reproduction method characterized by comprising: Reproduction / execution means for reproducing and executing the content data from a recording medium that stores video / audio data and content data including a program, and storing an identifier indicating a server that is permitted to access the network,
In a computer with storage means,
A first step of reading the identifier from the recording medium;
A second step of storing the identifier read in the first step in the storage means;
When a connection request to an identifier of a server on the network included in the program is detected during the reproduction / execution of the content data by the reproduction / execution means, the detected identifier and the identifier stored in the storage means A third step of verifying whether or not matches,
A fourth step of verifying the validity of the server corresponding to the identifier stored in the storage means;
In the server corresponding to the identifier stored in the storage means, in order to verify the validity of the recording medium using data read from the storage area on the recording medium, communication with the server is performed. A fifth step to perform;
When the identifier of the server included in the program matches the identifier stored in the storage unit, and the validity of the server corresponding to the identifier stored in the storage unit and the validity of the recording medium are verified A sixth step of receiving the connection request and connecting to a server corresponding to the identifier stored in the storage means;
A program to be executed.

Images